On Thu, 18 Apr 2013, security curmudgeon wrote:
> This is a fair point. I do not know a lot about how CNAs run other than
> the overall process. I certainly hope that a CNA is not granted a big pool
> unless they demonstrate they need it. Such a demonstration should only be
> valid if they actually issue that many valid CVEs, and request more during
> the same year.
That is exactly the case. Each CNA is given a pool of a size that is
proportional to the number of CVEs they publish. At this stage, we
probably have 4 or 5 CNAs who can request 100+ CVEs at a time without
raising much concern. Other CNAs might only get 5 or 10. And nobody
becomes a CNA without having a reasonably large number of disclosures in a
year.
It seems to me that the average size of CNA pools is rising, although I
don't have stats.
> In 14 years, we have a single example of a non-MITRE CNA issuing a
> significant number of identifiers, and that is Kurt Seifried of RedHat.
> Even with the *incredible* amount of hours he spends on it, he too has
> said "I can't keep up in some situations". This is no insult to him by any
> means, it is a basic truth.
> I do not blame either one, but it illustrates the current model of CVE,
> and illustrates the problem with manpower and identifier assignment.
Accordingly, in the future, there may be a need to change that model.
The sources-and-products discussion of last year started to at least
define a starting point. We have deferred other discussions (e.g. quality
vs. quantity).
>: Another future scale issue: Automated ways to find vulnerabilities
>: could overwhelm the current 10K/year human-scale size of the problem.
>
>That is the primary example Carsten Eiram and I offer. A system where an
>automated code analysis tool can essentially auto-assign a CVE for each
>one found. We know the current state of this would mean an incredible
>number of false positives, so I can't see anyone arguing that CVE should
>ever move away from some level of manual review for assignment.
Even ignoring automated assignment, consider efforts like what j00ru and
Gynvael Coldwind are doing with ffmpeg, or Adam Gowdiak with Java, what
r0t did in 2005/2006, or what Dimitry Oboukhov person did in 2008 when he
grepped for /tmp vulns in all the Debian packages about 5 years ago.
These days, individual researchers can produce many more valid vuln
reports than 10 years ago, and we have many more researchers today.
- Steve